Remediate potentially compromised AccessKey pairs - Resource Access Management

If you suspect that an AccessKey pair for your Alibaba Cloud account has been compromised, you must take immediate action to protect your account. A compromised AccessKey pair can lead to unauthorized resource access, unexpected charges, and potential data breaches. This topic describes the immediate steps you should take to respond to a compromised AccessKey pair.

Alibaba Cloud's automated response

Alibaba Cloud continuously monitors for publicly exposed AccessKey pairs. If we detect a compromised AccessKey pair, we immediately notify you through the contact information associated with your account. To protect your resources, we also automatically apply a restrictive protection policy to the compromised AccessKey pair. This policy blocks high-risk API operations until you take action. For more information, see Restrictive protection for compromised AccessKey pairs.

Warning

Always monitor notifications from Alibaba Cloud through SMS, email, and console messages. If you receive a notification about a compromised AccessKey pair, take immediate action. You are responsible for auditing your account for any unauthorized activity.

Note

Under the shared responsibility model, you are responsible for securing your credentials. While Alibaba Cloud provides automated detection for publicly exposed AccessKey pairs, you must manage and protect all of your AccessKey pairs.

Immediate response for a compromised AccessKey pair of an Alibaba Cloud account

If the AccessKey pair is not in use, disable and delete it on the AccessKey page.
If the AccessKey pair is in use, rotate it on the AccessKey page.
Create a new AccessKey pair, update your applications to use it, and then disable and delete the compromised AccessKey pair.

Immediate response for a compromised AccessKey pair of a RAM user

If the AccessKey pair is not in use, immediately disable and delete it.
If the AccessKey pair is in use and can be rotated immediately, do so without delay.
Create a new AccessKey pair, update your applications to use it, test the change, and then disable and delete the compromised AccessKey pair. For more information, see Rotate an AccessKey pair for a RAM user.
If the AccessKey pair is in use and cannot be rotated immediately without disrupting your business, follow the following steps to mitigate the risk. You must still rotate the AccessKey pair as soon as possible.
Step 1: Revoke permissions from the AccessKey pair
To limit the potential damage, immediately restrict the permissions of the RAM user associated with the compromised AccessKey pair. Attach a new policy to the user that explicitly denies high-risk permissions. This action helps prevent an attacker from causing significant harm, such as deleting resources or creating new users.
Also, review the RAM user's existing permissions and remove any that are not essential for your business operations to continue.
The following code provides a sample custom policy to deny high-risk permissions. Evaluate this policy and customize it to fit your security requirements before applying it.
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ram:AddUserToGroup",
        "ram:AttachPolicyToGroup",
        "ram:AttachPolicyToRole",
        "ram:AttachPolicyToUser",
        "ram:ChangePassword",
        "ram:CreateAccessKey",
        "ram:CreateLoginProfile",
        "ram:CreatePolicyVersion",
        "ram:CreateRole",
        "ram:CreateUser",
        "ram:DetachPolicyFromUser",
        "ram:PassRole",
        "ram:SetDefaultPolicyVersion",
        "ram:UpdateAccessKey",
        "ram:SetPasswordPolicy",
        "ram:UpdateRole",
        "ram:UpdateLoginProfile",
        "ram:UpdateUser"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "ecs:DeleteInstance",
        "ecs:DeleteInstances",
        "ecs:DeregisterManagedInstance",
        "ecs:ReleaseDedicatedHost"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "rds:DeleteAccount",
        "rds:DeleteDatabase",
        "rds:DeleteDBInstance",
        "rds:DestroyDBInstance"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "oss:DeleteBucket",
        "oss:DeleteObject",
        "oss:PutBucketAcl",
        "oss:PutBucketPolicy"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "log:DeleteLogStore",
        "log:DeleteProject",
        "log:PutProjectPolicy",
        "log:DeleteProjectPolicy"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "dysms:CreateProductNew",
        "dysms:CreateSmsTemplateNew",
        "dysms:AddSmsTemplate",
        "dysms:SendSms",
        "dysms:SendBatchSms"
      ],
      "Resource": "*"
    }
  ]
}
```
For more information, see Create custom policies and Grant permissions to a RAM user.
Step 2: Enable MFA for the RAM user
If the RAM user has permission to log on to the console, enable multi-factor authentication (MFA) as a security best practice.
1. Enforce an MFA requirement for the user's console logon.
2. Work with the user to bind a new MFA device to their account.
Step 3: Check for abnormal operations performed with the AccessKey pair
Audit all activities performed by the compromised AccessKey pair to identify any unauthorized actions. Look for unusual activities, such as resource creation or deletion in unexpected regions, or API calls from unknown IP addresses.
You can investigate AccessKey pair activities using one of the following methods:
- Method 1: Use the RAM console for a quick review
  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. Click the username of the target RAM user.
  4. On the user details page, click the Authentication tab.
  5. In the AccessKey section, review the operation history and last used information for the specified AccessKey pair.
- Method 2: Use ActionTrail for a comprehensive audit
  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click AccessKey Pair Audit.
  3. In the search box, filter the event history by the compromised AccessKey ID to review all associated API calls and user activities.
Note
For data events not logged by ActionTrail (such as object access in OSS), you must enable and check the logs for each service individually.
During your audit, also look for suspicious activities from other RAM users or AccessKey pairs. An attacker might have used the initial compromised AccessKey pair to create other backdoors. If you find any unauthorized activity:
- For any legitimate user with suspicious activities, immediately reset their password and require them to use MFA.
- Delete any RAM users that were created without authorization.
- If you find other compromised AccessKey pairs, follow this same procedure to restrict their permissions and rotate them.
Step 4: Check for abnormal charges
In the Expenses and Costs console, review your billing details for any unexpected charges. Unauthorized resource usage, such as for cryptocurrency mining, can lead to a significant increase in costs. If you find unauthorized resources, delete them immediately after documenting them for your investigation.

Best practices for prevention

For more information, see Best practices for using an access credential to call API operations.